Shane is the one to ask about Security, I'll make sure this one is one his radar.
Jason Porter wrote on May 23, 2011 17:44:
Shane is out on vacation this week, he may or may not respond while he is out. I suggest you look into PicketLink as that's the underlying security framework under Seam Security.
Well thanks for the reply. I am aware that PicketLink would be the place to go but I would think that there is also some Seam Security specific configuration I would need to apply, no?
So since I am not in a hurry with this and don't have the time to figure everything out by myself I'd rather wait for Shane to return from his vacation and post at least a small basic pointer on how the configuration is supposed to happen.
I actually had some time yesterday to play around with it again and managed to get it working to some extend. But IMHO having used the Seam 2 LDAP integration I'd say that the Seam 3 Security LDAP support is a major regression. :(
First of all I was not able to do basic LDAP integration by simple XML configuration but had to write a LdapIdentityStoreConfiguration that would extend IdentityStoreConfiguration.
So PicketLink IDM would now connect to my LDAP server and it authenticated the user against it. Great! But when the Seam provided IdmAuthenticator now tries to call identitySession.getRoleManager() it would throw a FeatureNotSupportedException because PicketLink's LDAPIdentityStoreImpl does not seem to support roles... DOH! I googled a little and the only answer I found to this in the GateIn forums was
if you need roles then write your own LDAPIdentityStore implementation. I may even would have done this if the LDAPIdentityStoreImpl was a little more extension friendly...
I ended up implementing my own LDAPAuthenticator instead and sacrificed roles in favor of simple groups, which seems to be working just fine with the LDAPIdentityStoreImpl.
My conclusion is that the Seam 3 Security component (and also maybe PicketLink IDM itself) needs some serious love for the poor LDAP users in order to push it to the state of usablity where Seam 2 LDAP integration has been for quite some time now (given that I did not miss something fundamental in the process of trial-and-erroring my way through the LDAP configuration). :(
Would you please add a feature request in jira?
There is nothing about ACL based permissions in Seam 3 documentation. Is there any example or draft doc available?
Thorsten Kunz a écrit:
Can you send us your LdapIdentityStoreConfiguration.class please ?
Sorry but I can't. The project has taken a different solution since Seam3 Security/LDAP was just not in a state where we wanted to use it at that time.